At Adelia Risk, we understand that the complex rules regarding RIA cybersecurity are confusing. That’s why we built this comprehensive resource guide detailing everything you need to do to remain in compliance. Take a look, find what you need, and if you have any questions, just contact us. The Adelia Risk team is happy to help wealth management professionals with their cybersecurity needs.
Adelia Risk is a long-term partner, not a one-time cybersecurity consultant.
We don’t deliver a report then vanish. We work with you over time to reach your security goals.
The SEC requires registered investment advisors to implement dozens of cybersecurity requirements.
These requirements are split across a number of publications, regulations, and risk alerts. Here are the main ones:
We’ve relied on Adelia Risk for our cybersecurity for years, and the difference they’ve made is hard to overstate. Before Adelia, we had gaps we didn’t even know about. Their initial assessment was a real eye-opener, and the prioritized project plan they built gave us a clear path from where we were to where we needed to be.
What sets Adelia apart is the breadth of what they actually do. They run our phishing tests and security training, audit our Google Workspace configuration, review our third-party vendors, and keep our IT provider honest when things slip through the cracks. When they recommended a new email security tool, it proved itself quickly by catching a real threat and handling it exactly the way it should have been handled.
Our principal has always said cybersecurity is the one thing that could put us out of business. Having Adelia Risk in our corner means we’re more prepared than we’ve ever been. I’d recommend their RIA cybersecurity services without hesitation.
Damon H., RIA Cybersecurity Client
Wealth Management Firm, Connecticut
Adelia Risk has been our cybersecurity partner for nearly eight years, and the relationship has only gotten stronger. When they first came in, their reports surfaced vulnerabilities that had gone unaddressed for years. We took those findings seriously enough to completely change how we run our IT reviews. That honesty is exactly what we needed, and it set the tone for a partnership built on trust and accountability.
What sets Adelia apart is how involved they stay. They don’t hand us a checklist and disappear. They keep our IT provider honest, make sure nothing falls through the cracks, and guide us through decisions in plain English. When they recommended new security tools, those tools delivered. When they ran an AI security presentation for our staff, the feedback was overwhelmingly positive. They go well beyond what you’d expect.
We’re more prepared for anything that comes our way from both a compliance and security perspective, and that’s a direct result of working with Adelia Risk. I’d recommend their RIA cybersecurity services to any firm that wants a real partner, not just another vendor.
Stacey S., RIA Cybersecurity Client
Wealth Management Firm, Rhode Island
You may have heard chatter about some new, more stringent cybersecurity rules proposed in 2022 and 2023:
In a nutshell, these new regulations would have significantly raised the bar for wealth management firm cybersecurity. Most notably, RIAs would have been required to:
These new standards would have moved RIAs more towards the cybersecurity requirements of banks and other financial institutions.
While these new rules and regulations were never finalized and have been abandoned (for now), it’s helpful to understand how they signify new requirements that we may see in the future.
FINRA (a non-profit that regulates brokers and exchanges) also has something to say about cybersecurity. FINRA’s cybersecurity requirements tend to be higher-level than the guidance issued by the SEC.
Of special note:
One important difference between FINRA and the SEC is that FINRA does have published requirements to report issues in the form of Rule 4530: Reporting Requirements. It’s important that you read and understand your requirements under this rule.
If you need help making sense of these reporting requirements, we’d love to help. Take a moment to check out the RIA cybersecurity assistance we offer for wealth management firms and professionals.
While most RIAs focus on the SEC and FINRA, there are also two other cybersecurity regulations that apply to wealth management firms:
Here’s the good news – there is a high degree of overlap between GLBA, the FTC Safeguards Rule, the FINRA requirements, and the SEC requirements. The work you do for the SEC requirements will mostly cover the other regulations.
The United States has a complicated patchwork of laws and regulations that govern cybersecurity. Each state has their own requirements, and some states (like California and New York) have the strictest laws in the country.
If you have clients in New York, you’re required to comply with the New York Department of Financial Services (DFS) Cybersecurity Regulation 23 NYCRR Part 500. Most people just call it “NYDFS” for short.
NYDFS is more stringent than both the SEC’s and FINRA’s requirements. Most notably, NYDFS requires that financial firms notify them within 72 hours of any incidents, and companies must formally certify compliance once a year.
If you have clients in California, then you may be required to comply with the California Consumer Privacy Act of 2018 (CCPA). CCPA is less a cybersecurity regulation and more a law that focuses on giving your clients more control over their personal information. However, there are some cybersecurity requirements, and any RIA with clients in California should be aware of the law.
Companies that don’t comply with NYDFS or CCPA risk both fines and embarrassment. NYDFS has imposed multiple multi-million dollar fines, and CCPA has also fined many companies for sizable amounts.
The bottom line is that these state regulations don’t necessarily apply to every company, so consult with a qualified attorney or compliance consultant to determine whether NYDFS or CCPA apply to you. If they do apply to you, though, you’ll need to do extra work to make sure you comply with the provisions they have, which are different from the SEC and FINRA guidance.
All of the SEC, FINRA, and federal requirements above, distilled into one checklist. Print it, share it with your compliance consultant, or use it to see where your firm stands today.
Free. No sales call required.
If you’ve tried to do some research around SEC or FINRA cybersecurity regulations, you’ve probably seen references to the “NIST Cybersecurity Framework” (or NIST CSF for short).
Even though NIST is part of the federal government, the NIST Cybersecurity Framework is not a law or a regulation, and there is no requirement for Registered Investment Advisors to follow it.
NIST, as a government entity, publishes standards that apply to lots of different industries (not just cybersecurity). They’re the keepers of the atomic clock that measures time, and the official definitions of “a pound” and “a kilogram.”
Even though NIST doesn’t provide a formal law or regulation, it’s still worth understanding the NIST CSF framework. NIST basically gives you a cheat sheet for how to best organize your cybersecurity efforts. If you can confidently say you comply with NIST, then you’ve already gone most of the way to comply with SEC, FINRA, GLBA, FTC, CCPA, NYDFS, etc.
The NIST CSF also provides a common-sense framework for thinking through your cybersecurity program:
Adopting the NIST CSF will certainly help with compliance, but (more importantly) it gives you a framework to improve your overall cybersecurity posture.
When we work with clients, we’ve already done the heavy lifting of interpreting the regulations above, and have put them into easy-to-understand, specific recommendations.
Here are just a few examples:
You can see a full list of cybersecurity articles on our Blog.
The bottom line is that we make it easy for wealth management firms to assess where they stand today, build an action plan, and then be your long-term partner in getting you to the point where you’re secure AND compliant.
Adelia Risk builds cybersecurity programs that cover SEC, FINRA, GLBA, and state requirements. One program, one monthly fee, and we handle the alphabet soup so you don’t have to.
See Our RIA Cybersecurity ServicesFor years, vetting your vendors was “best practice.” It was something you knew you should do…but you weren’t required to.
The 2024 amendments to Regulation S-P made it a written requirement, and the deadline for most RIAs has arrived.
Are you in compliance? Here are the dates that matter:
December 3, 2025
RIAs with $1.5 billion or more in assets under management had to comply by this date.
June 3, 2026
RIAs with less than $1.5 billion in AUM — the majority of advisory firms — had to comply by this date.
What the amended rule requires around vendors:
The newest updates have caught a lot of wealth management professionals off guard because if a breach happens with your CRM provider, portfolio software, or outsourced IT, it is now your notification obligation.
Schwab, Fidelity, Vanguard, BNY, and the other major custodians all run serious security programs. But here’s the thing: those controls protect their systems, and they have nothing to do with protecting your wealth management firm.
In short, a custodian’s SOC 2 report covers the custodian. It does not cover your laptops, your email, or the dozen other vendors in your stack. Treat your custodian as one well-secured vendor among many, not as your RIA cybersecurity program.
The good news is that a workable vendor-risk program for a small RIA doesn’t take enterprise software. It takes a current inventory of who touches client data, evidence you vetted them, contracts with the 72-hour notice clause, and an incident response plan you’ve actually tested. That’s part of the service we provide to RIAs.
There’s no SEC-approved list. The regulations tell you the outcomes you’re responsible for, but they leave the specific tools up to you. That’s good news and bad news.
So here’s what we actually deploy for RIA clients, organized the way we think about it. These are the tools we most often recommend. You’ll see that none of them are exotic…and that’s the point. They should be easy to use and do their job. That’s it — no need to overcomplicate it.
We’ve built our cybersecurity practice around helping RIAs get this right.
The foundational controls almost every RIA needs
These are the foundational tools we suggest.
Multi-factor authentication (MFA)
You need this on everything, including:
It’s the single highest-impact RIA cybersecurity control you can turn on, and examiners now expect it. Microsoft Authenticator through Entra ID is the most common tool we see, although some of our RIAs also prefer to use Duo or Okta.
A team password manager
Shared logins in a spreadsheet are the most common problem we find. A password manager ends that and gives you a record of who can access what. We typically recommend 1Password, with Keeper and Bitwarden as solid alternatives.
Email security that catches phishing and impersonation
Most RIA incidents start with a convincing, fake email. For our RIAs, we recommend using a third-party tool to augment the phishing protection that both Microsoft and Google provide. This is one area where it makes sense to have multiple layers of security to prevent a real breach.
Endpoint detection and response (EDR)
This has to be more than just consumer antivirus. EDR actively watches each device for suspicious behavior and can isolate a compromised laptop instead of just scanning for known viruses. We mostly see our clients using SentinelOne, CrowdStrike, or the paid version of Microsoft Defender (if they don’t have any Macs). One of these belongs on every device that touches client data, including the ones your team uses from home.
Encrypted backups
First, make sure your backup works. The Regulation S-P recovery expectations assume you can get your data back. For your RIA cybersecurity, consider tools from companies like Datto and Veeam.
The compliance portion that makes RIA cybersecurity different
Here's what the SEC and FINRA examiners specifically expect from advisers:
SEC Rule 17a-4 and the Advisers Act recordkeeping rules require you to retain business communications in a tamper-proof archive. That now includes text and chat, not just email. Most of our clients use Smarsh, Global Relay, or Microsoft/Google’s built-in tools for this.
Security awareness training with simulated phishing
Examiners ask whether you train your staff, and they want to see records. KnowBe4 is our standard because it runs scheduled training and sends fake phishing tests so you can show who’s been trained and who still clicks.
Vulnerability scanning
These RIA cybersecurity tools regularly check your systems for known weaknesses before someone else does. This is a clear SEC requirement.
For wealth management firms that want to go beyond the basics
Not every small RIA needs these, but they're definitely something to consider as your firm grows:
DNS filtering
For this, consider tools like DNSFilter or Cisco Umbrella. They block your staff from reaching malicious sites in the first place.
24/7 monitoring / managed detection and response
This tool is actually an entire security team that watches your alerts overnight, when most attacks happen.
Vulnerability scanning
These RIA cybersecurity tools regularly check your systems for known weaknesses before someone else does. This is a clear SEC requirement.
We want to be honest. Tools are maybe a third of the job. The other two-thirds is the program around them. Owning that program for RIAs is exactly what we do.
Not sure what you’ve already got covered?
The main cybersecurity regulations for RIAs include SEC requirements, FINRA regulations, the Gramm-Leach-Bliley Act (GLBA), and the FTC Safeguards Rule. Some state-specific regulations like NYDFS and CCPA may also apply depending on your client base.
Yes, notably the New York Department of Financial Services (NYDFS) Cybersecurity Regulation for firms with New York clients, and the California Consumer Privacy Act (CCPA) for those with California clients. Other states may have their own requirements, though they tend to be less stringent.
The SEC periodically updates its cybersecurity requirements. While there’s no set schedule, the SEC issues risk alerts and guidance as new threats emerge or industry practices evolve. It’s crucial for RIAs to stay informed about these updates.
Consequences can include regulatory fines, reputational damage, loss of client trust, and in severe cases, legal action. The SEC has the authority to impose significant penalties for non-compliance.
The NIST Cybersecurity Framework is a voluntary set of guidelines for managing cybersecurity risks. While not mandatory for RIAs, following the NIST CSF can help ensure comprehensive cybersecurity practices and aid in compliance with various regulations.
RIAs can prepare by regularly assessing their cybersecurity posture, maintaining comprehensive documentation of policies and procedures, conducting staff training, and potentially using a cybersecurity checklist designed for SEC compliance.
A Virtual CISO is an outsourced cybersecurity expert. They can help RIAs build a robust cybersecurity program, ensure regulatory compliance, and manage cybersecurity risks without a full-time hire.
Common threats include phishing attacks, ransomware, wire fraud, banking trojans, and data breaches. Social engineering tactics targeting employees and clients are also prevalent.
RIAs should conduct risk assessments at least annually. However, more frequent assessments may be necessary when significant changes occur in the business or technology environment.
Best practices include strong access controls, encrypting sensitive data, regularly updating software, conducting employee training, using secure communication channels, and having a robust incident response plan.
Effective training includes regular sessions on recognizing threats, safe internet practices, proper data handling, and incident procedures. We also recommend (and provide) simulated phishing tests.
An incident response plan should include steps for identifying, containing, and mitigating security incidents, roles and responsibilities of team members, communication protocols, and procedures for notifying affected parties and regulators.
While core security principles apply to both, cloud-based systems often require additional focus on vendor management, data encryption in transit and at rest, and configuring security settings that are your responsibility.
Key components include data backup and recovery procedures, alternate work locations, communication plans, critical business function identification, and regular testing and updates of the plan.
Rule 206(4)-9 is a proposed SEC rule that would require investment advisers to adopt and implement written cybersecurity policies and procedures, report significant cybersecurity incidents, and provide cybersecurity-related disclosures to clients. This rule is unlikely to be implemented in its current form.
Rule 204-6 is a proposed SEC rule that would amend existing recordkeeping, reporting, and disclosure rules. It would require advisers to maintain specific records related to their cybersecurity policies, procedures, risk assessments, and incidents. This rule is unlikely to be implemented in its current form.
Start with the foundation: multi-factor authentication on every account, a team password manager, email security that catches phishing, endpoint detection and response — EDR — on every device, and encrypted backups you’ve tested. Then add the three tools that make RIA compliance different from generic small-business security: a tamper-proof email and messaging archive for SEC Rule 17a-4 recordkeeping, vulnerability scanning, and security awareness training with simulated phishing that you can show an examiner. Remember that tools are only about a third of compliance — the documented program around them is what an SEC examiner asks to see.
The 2024 amendments to Regulation S-P require RIAs to maintain a written incident response program, oversee service providers that handle customer information, notify affected clients within 30 days of a breach of sensitive customer information, and keep related records for five years. Firms with $1.5 billion or more in AUM had to comply by December 3, 2025, and smaller firms had to comply by June 3, 2026.
Major custodians like Schwab, Fidelity, Vanguard, and BNY secure their own platforms and often provide fraud monitoring and authentication tools for accounts held with them. But a custodian’s security program protects the custodian’s systems — not your firm’s email, devices, or other vendors. Your cybersecurity and Reg S-P obligations are yours no matter how secure your custodian is.
Most small RIAs meet their requirements without hiring internal IT by doing three things:
This creates a defensible program you can prove is running.
If your business runs on a custom in-house application, there’s a good chance it has been
Adelia Risk has been hearing some version of this conversation in client offices almost every week.
Adelia Risk is a cybersecurity firm that helps small medical practices, billing companies, and business associates
You’ve just read through a lot of regulations. We help RIAs make sense of all of it and build a security program that actually satisfies examiners. Schedule a free consultation. We’ll talk about your firm, your concerns, and whether we’re a good fit. No pressure.
